diff --git a/.github/workflows/enforce-draft-pr.yml b/.github/workflows/enforce-draft-pr.yml
index 6a5da12272..623fa84207 100644
--- a/.github/workflows/enforce-draft-pr.yml
+++ b/.github/workflows/enforce-draft-pr.yml
@@ -4,18 +4,23 @@ on:
   pull_request_target:
     types: [opened, reopened]
 
-permissions:
-  pull-requests: write
-
 jobs:
   enforce-draft:
     name: Enforce Draft PR
     runs-on: ubuntu-24.04
     if: github.event.pull_request.draft == false
     steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859  # v2
+        with:
+          app-id: ${{ vars.SDK_MAINTAINER_BOT_APP_ID }}
+          private-key: ${{ secrets.SDK_MAINTAINER_BOT_PRIVATE_KEY }}
+
       - name: Convert PR to draft
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea  # v7.0.1
         with:
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             const pullRequest = context.payload.pull_request;
             const repo = context.repo;